Hi team,
For Azure App Services (PAAS resources that uses a load balancer) and restricted the default internet access to storage account, could you add "Do not use the public OUTBOUND IP addresses of the PAAS resources (for example: Azure App Services) when configuring your storage account firewall when the resources are in the same region."
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-faqs?source=recommendations
How do connections to Azure Storage in the same region work?
Having outbound connectivity via the scenarios above isn't necessary to connect to storage in the same region as the VM. Use network security groups (NSGs) as explained above to prevent this behavior. For connectivity to storage in other regions, outbound connectivity is required. The source IP address in the storage diagnostic logs will be an internal provider address, and not the public IP address of your VM when connecting to storage from a VM in the same region. To restrict access to your storage account to VMs in one or more virtual network subnets in the same region, use Virtual Network service endpoints. Don't use your public IP address when configuring your storage account firewall. When service endpoints are configured, you'll see your virtual network private IP address in your storage diagnostic logs and not the internal provider address.
The solution is to configure VNet integration and configure the VNet in the storage firewall.
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.